y ^^^^ ^ plurality of the distributed electronic devices, generating a partial result 

Q,D^ for the distributed cryptographic computation using at least one of said random values; and 

(d) computing a final result for the distributed cryptographic computation using partial 
results. 



REMARKS 



The applicants respectfully request reconsideration and allowance of this application. 
After entry of this Amendment, claims 1-12 and 17-25 wall be pending, with claim 1 amended. 

Claims 1-12 and 17-31 were rejected as being anticipated by Gennaro et al. For 

convenience, the applicants respectfiiUy repeat here a short portion of remarks from the 

Preliminary Amendment with reference to an embodiment disclosed in pages 9-12 of the 

specification. That embodiment may be implemented in an architecture shown in Fig. 1 . For 

clarity in communicating concepts, shared randomness was discussed with reference to a specific 

example of distributed signing. Such specificity is not intended to limit the scope of protection. 

Fig. 1 shows an architecture having five signing units. Those 
devices may be designated as "1," "2," "3," "4," and "5." During a 
setup phase, members of the system adopt a series of pseudorandom 
fiinctions PRFk(*) indexed by variable "k." During later phases, the 
variable "k" may take on specific values depending on context. Also 
during the setup phase, each pair of signing devices jointly generates 
a shared secret key Oij. For example, signing devices "1" and "2" 
both generate the same shared key ai,2 (which is identical to 02,1), 
signing devices "1" and "3" generate a different shared key 01,3 and 
so on for all pairs that can be formed among the five devices. The 
values of a may be used as the index value "k" for the 
pseudorandom fimction. 

During an operation to sign a specific message m, a subset of 
devices may be selected, such as three out of the five. If the three 
devices are "1," "2," and "3," the set A = {1, 2, 3}. As described on 
page 1 1 of the specification, each member of the set A will compute 
a value s'mj,A that includes the following term: 2]veA/j sign(j - v) • 
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PRFoj^v. The sum is taken over all devices v that are elements of the 
set A excluding device j. For signing device "1," j = 1, and the 
summation has two terms: a term for v = 2 and a term for v = 3. The 
terms of the summation would be: 

sign(l - 2) • PRF 01,2 (m) + sign(l - 3) • PRF ai,3.(m). 

Signing device "2" would have terms for j = 2 and v ^ 1 , 3. Signing 
device "3" would have terms for j = 3 and v = 1, 2. 

Each pair of signing devices shares a unique source of randomness 
in the form of the function PRF Oj^v- Because Oj^v = Ovj (they are 
equal values), pair members will select the same pseudo random 
function (PRFoj^v = PRFc^vj) and contribute partial results with 
"random" contributions that are actually related to one another. An 
error or misbehavior of a participant will be revealed if contributions 
do not relate properly. For example, a final signature will not verify 
unless both members of a pair contribute shared random values with 
the required relationship. As stated on page 10 of the specification, 
the sharing of the pseudorandom fimctions and their invocation in 
the computation generates a "t-wise hand shake." 



^Gennaro et al. does not disclose such a sharing of(§oiirces of randomnesj^ for use in 
computing. Gennaro et al. discloses a different kind of sharing for a different purpose. The 
sharing of Gennaro (on which the rejection is believed to be based) is the sharing of a secret key 
in the form of values related to ~ but different from - the key. An umber of shares is^e quired to 
obt ain sufficient i nfom iation to determine the key. Ijpne of ^^ ^^^gjnemb ers individu ally 
p ossesg.e^ s.ufficient info^t^ion^to ktio^ key; In the sharing used to generate randomness in 
the embodiment of Fig. 1 of the pending application, each member of a group kno ws a value that 
is equal to the value known by other members. Eachj nember k nows the shared value. This is 
different from Gennaro, w here a member's share isu^ fficient toj giowjh^^ 

Furthermore, the shared value of the embodiment of Fig. 1 is used to index a pseudo 
random function to generate values useful for detecting misbehaving members of the group. 
This is a different motivation from threshold secret sharing of Gennaro, which shares values 
related to a key to avoid a single point of attack (or failure) of key material. While the members 





of the group of the embodiment of Fig. 1 might also engage in a threshold sharing of a 
cryptographic key, that sharing would be a distinct aspect from knowing a shared value for 
generating randomness. 

In light of the above remarks, it is believed the merit of this application will be 
appreciated and that the application will be passed to issuance. If, however, the Examiner is not 
persuaded, the applicants request an opportunity for a personal interview at the Examiner's 
earliest convenience. 

I hereby certify that this correspondence is being Respectfiilly^ubmitted, a 
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VERSION WITH MARKINGS TO SHOW CHANGES 

1 . (Amended) A method of distributed cryptographic computation using a plurahty 
•of distributed electronic devices, said method comprising: 

(a) computing shared values over a known and agreed context, each shared value being 
known by each member of [shared among] a distinct subset of the plurality of distributed 
electronic devices; 

(b) at each of a plurality of the distributed electronic devices, generating a random value 
using said shared values; 

(c) at each of a plurality of the distributed electronic devices, generating a partial result 
for the distributed cryptographic computation using at least one of said random values; and 

(d) computing a final result for the distributed cryptographic computation using partial 

results. 
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